A sensor network for use in an aircraft, including a plurality of wireless nodes. A first wireless node of the plurality of wireless nodes is arranged to communicate with at least one other wireless node of the plurality of wireless nodes. The communication is via a secure communications channel and is on the basis of a control message received at the first wireless node. The at least one other wireless node is arranged to perform an operation on the basis of the control message.
|
1. An aircraft sensor network comprising:
a plurality of wireless nodes;
wherein a first wireless node of the plurality of wireless nodes is configured to receive a control message and at least one cryptographic key from a remote computing device external to the aircraft sensor network, and communicate with at least one other wireless node of the plurality of wireless nodes via a secure communications channel, on the basis of the received control message;
wherein the at least one other wireless node of the plurality of wireless nodes in the sensor network is arranged to perform an operation on the basis of the control message;
wherein the at least one cryptographic key is configured to secure the secure communications channel; and
wherein the first wireless node is configured to communicate with at least one other of the wireless nodes via the secure communication channel at least one replacement cryptographic key to replace the at least one cryptographic key,
wherein the first wireless node includes a first memory storing the at least one cryptographic key received from the remote computing device and a second memory, isolated from the first memory, storing an authentication cryptographic key, so that the at least one cryptographic key and the authentication cryptographic key are separate from one another,
wherein the first wireless node is configured to authenticate sensor data using the authentication cryptographic key, and
wherein the sensor data is received by the first wireless node from one or more of the plurality of the wireless nodes via the secure communication channel secured by the at least one cryptographic key.
8. An aircraft sensor network comprising:
a plurality of wireless nodes;
wherein a first wireless node of the plurality of wireless nodes is configured to receive a control message and at least one cryptographic key from a remote computing device external to the aircraft sensor network, and communicate with at least one other wireless node of the plurality of wireless nodes via a secure communications channel, on the basis of the received control message;
wherein the at least one other wireless node of the plurality of wireless nodes in the sensor network is arranged to perform an operation on the basis of the control message;
wherein the at least one cryptographic key is configured to secure the secure communications channel; and
wherein the first wireless node is configured to communicate with at least one other of the wireless nodes via the secure communication channel at least one replacement cryptographic key to replace the at least one cryptographic key,
wherein the first wireless node includes a first memory storing the at least one cryptographic key received from the remote computing device and a second memory, isolated from the first memory, storing an authentication cryptographic key, so that the at least one cryptographic key and the authentication cryptographic key are separate from one another,
wherein the first wireless node further comprises a first and second processors configured to access the first memory and second memory respectively, the first and second processors being isolated from one another, the first memory being configured to be read from and written into by the first processor when the first wireless node is powered-down and powered up, so that the at least one cryptographic key stored in the first memory can be replaced when the first wireless node is powered down.
2. The aircraft sensor network of
3. The aircraft sensor network of
4. The aircraft sensor network of
5. The aircraft sensor network of
6. The aircraft sensor network of
7. The aircraft sensor network of
|
This application claims priority to each of United Kingdom patent applications GB 1706752.1 filed 27 Apr. 2017; GB 1615976.6 filed 20 Sep. 2016 and GB 1609420.3 filed 27 May 2016 each of which is incorporated by reference in their entireties.
The present invention relates to a sensor network for use in an aircraft, to a method of operating a sensor network in an aircraft, and to aircraft wireless nodes configured for use in a sensor network in an aircraft.
Modern vehicles, for example, aircraft, use sensors to detect parameters relating to the vehicles' operation. In particular, sensors may be placed around the vehicle to gather data which describes the state of the vehicle. This data can be used to help maintain the vehicle, including ensuring the safety of the vehicle and prolonging its lifetime. Sensors may be arranged in a wired or wireless system. A wireless system has advantages over a wired system in that cabling requirements can be reduced and weight reduced. This may lead in addition to a simpler design. However, it can be harder to guarantee the integrity and confidentiality of the data in a wireless system, when compared to a wired system.
A first aspect of the present invention provides a sensor network for use in an aircraft, the sensor network comprising: a plurality of wireless nodes wherein a first wireless node of the plurality of wireless nodes is arranged to communicate with at least one other wireless node of the plurality of wireless nodes via a secure communications channel, on the basis of a control message received at the first wireless node; and wherein the at least one other wireless node of the plurality of wireless nodes in the sensor network is arranged to perform an operation on the basis of the control message.
Optionally, the first wireless node is arranged to receive the control message and one or more cryptographic keys from a remote computing device.
Optionally, the secure communications channel is secured by at least one of the one or more cryptographic keys.
Optionally, the first wireless node is arranged to communicate, via the secure communications channel, one or more replacement cryptographic keys for replacing at least one of the one or more cryptographic keys.
Optionally, the first wireless node comprises a communications interface for interfacing with a communications channel, other than the secure communications channel, to receive the one or more replacement cryptographic keys.
Optionally, the operation comprises a configuration operation to use at least one of the one or more replacement cryptographic keys in place of the at least one of the one or more cryptographic keys.
Optionally, the configuration operation comprises: causing the at least one other of the plurality of wireless nodes to send the at least one replacement cryptographic key to one or more of the plurality of wireless nodes.
Optionally, the sensor network is arranged to secure the secure communications channel using the at least one replacement cryptographic key.
Optionally, the control message comprises a request for data stored on the sensor network.
Optionally, the operation comprises communicating the data to the first wireless node, via the secure communications channel.
Optionally, the first wireless node is arranged to authenticate data received from the at least one other wireless node.
Optionally, the first wireless node is arranged to communicate with a remote computing device over a short-range communications channel.
Optionally, the first wireless node is a wireless sensor node.
Optionally, the first wireless node or the at least one other wireless node is a wireless access point.
A second aspect of the present invention provides an aircraft wireless node configured for use in a sensor network in an aircraft, the sensor network comprising a plurality of wireless nodes, the aircraft wireless node being arranged to: receive a control message; and communicate with at least one other wireless node of the plurality of wireless nodes of the sensor network, via a secure communications channel, on the basis of the control message.
Optionally, the aircraft wireless node comprises a communications interface for interfacing with a communications channel other than the secure communications channel
Optionally, the aircraft wireless node is arranged to communicate with a remote computing device over a short-range communications channel.
A third aspect of the present invention provides an aircraft wireless node configured for use in a sensor network in an aircraft, the sensor network comprising a plurality of wireless nodes, the aircraft wireless node being arranged to: communicate, via a secure communications channel, with at least one other wireless node of the plurality of wireless nodes of the sensor network; and perform an operation on the basis of the communication via the secure communications channel, the operation being on the basis of a control message received at the at least one other wireless node.
Optionally, the operation of the aircraft wireless node comprises sending one or more received cryptographic keys to the at least one other wireless node.
A fourth aspect of the present invention provides an aircraft wireless node configured for use in a sensor network of an aircraft, the aircraft wireless node being configured to send one or more cryptographic keys to a remote computing device over a communications channels on receipt of a request for the one or more cryptographic keys.
Optionally, the communications channel is a short-range communications channel.
Optionally the aircraft wireless node comprises a first storage for storing a first cryptographic key and a second storage for storing a second cryptographic key wherein the first storage and second storage are isolated from each other.
Optionally the aircraft wireless node is a sensor node or a wireless access point.
A fifth aspect of the present invention provides an aircraft comprising a sensor network or one or more aircraft wireless nodes according to the previous embodiments.
A sixth aspect of the present invention provides a method of operating a sensor network in an aircraft, the sensor network comprising a plurality of wireless nodes, the method comprising: communicating a control message to a first wireless node of the sensor network; the first wireless node communicating via a secure communications channel with at least one other wireless node of the plurality of wireless nodes of the sensor network; the at least one other wireless node performing an operation on the basis of the control message.
Optionally, the method comprises communicating one or more cryptographic keys to the first wireless node.
Optionally, the method comprises a computing device performing the communicating of the control message and the communicating of the one or more cryptographic keys.
Optionally, the method comprises retrieving the one or more cryptographic keys from a second wireless node in the sensor network, prior to communicating the one or more cryptographic keys to the first wireless node.
Optionally, the method comprises establishing the secure communications channel with at least one of the one or more cryptographic keys.
Optionally, the method comprises communicating one or more replacement cryptographic keys for replacing at least one of the one or more cryptographic keys.
Optionally, the method wherein the communicating the one or more replacement cryptographic keys comprises communicating the one or more replacement cryptographic keys to the first wireless node.
Optionally, the method comprises communicating the one or more replacement cryptographic keys via a communications channel other than the secure communications channel.
Optionally, the method wherein the communications channel other than the secure communications channel is a further secure communications channel.
Optionally, the control message comprises an instruction to replace at least one of the one or more cryptographic keys with at least one of the one or more replacement cryptographic keys
Optionally, the method comprises communicating the one or more replacement cryptographic keys to the at least one other wireless node via the secure communications channel.
Optionally, the operation comprises a configuration operation to use the at least one of the one or more replacement cryptographic keys in place of at least one of the one or more cryptographic keys.
Optionally, the configuration operation comprises: sending the at least one of the one or more replacement cryptographic key to one or more of the plurality of wireless nodes.
Optionally, the operation comprises securing the secure communications channel using the at least one of the one or more replacement cryptographic keys.
Optionally, the control message comprises a request for data stored on the sensor network.
Optionally, the method comprises communicating a request to the at least one other node for data via the secure communications channel.
Optionally, the operation comprises communicating the data, via the secure communications channel, to the first wireless node.
Optionally, the method comprises authenticating the data using a cryptographic key
Optionally, the operation comprises requesting the data from one or more of the plurality of wireless nodes.
Optionally, the control message is communicated to the first wireless node via a communications channel other than the secure communications channel.
Optionally, the communications channel other than the secure communications channel is a short-range communications channel.
Optionally, the method comprises authenticating the one or more cryptographic keys or the at least one replacement cryptographic key.
Optionally, the method wherein generating one or more cryptographic keys comprises performing a key exchange between two or more nodes of the sensor network.
Embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which:
In the following description, for purposes of explanation, numerous specific details of certain examples are set forth. Reference in the specification to “an example” or similar language means that a particular feature, structure, or characteristic described in connection with the example is included in at least that one example, but not necessarily in other examples.
Certain methods and systems described herein relate to the operation of a sensor network in an aircraft. In examples described herein, references to “aircraft” include all kinds of aircraft, such as fixed wing, for example military or commercial aircraft, or unmanned aerial vehicles (UAVs), and rotary wing aircraft, for example helicopters.
Current aircraft on-board sensors may communicate data to avionics systems of the aircraft, via a wired communications link between each sensor and the avionics system. This configuration precludes a remote computing device outside the aircraft from being able to communicate with the on-board sensors or access sensor data collected by the on-board sensors without plugging-in the remote computing device to each individual sensor. This is a time-consuming process, particularly on an aircraft comprising a large number of sensors, and may directly impact time needed to be spent on maintenance of the aircraft. Moreover, the cabling required to operate a wired system can be prone to faults and increases the weight of the aircraft.
According to examples herein, a wireless sensor network system presents advantages over existing wired system. For instance, it is possible to communicate directly with the sensors from outside of the system, which allows ground crew to carry out maintenance of the aircraft more efficiently, for example, without having to go on board the aircraft. Furthermore, the wiring requirements for a network of wireless sensors is considerably lower than in a comparable wired system, which reduces the weight of the aircraft and makes manufacturing and designing the aircraft more straightforward.
Wireless sensor network systems, however, are open to a number of security threats. An attacker could use an attacker-controlled wireless device to spoof components of the sensor network and introduce false sensor data, eavesdrop on communications between the sensors and wireless access points in communication with the sensors, replay recorded messages or flood components of the sensor network with junk data. Furthermore, an attacker could use a wireless device to send specially crafted wireless messages to components of the sensor network. Such messages could trigger one or more vulnerabilities within the components, with the result that the attacker gains control over certain functions of the sensor network. Potentially, an attacker could use the sensor network as a stepping-stone to other critical components of the aircraft.
Examples described herein address these challenges by providing a secure sensor network that helps to ensure the confidentiality and integrity of data on the sensor network. In certain examples described herein, the data in the sensor network is protected by strong cryptographic algorithms that help to guarantee confidentiality and integrity of data. An aspect of ensuring cryptographic security lies in the ability to manage cryptographic keys. For example, it is advantageous to be able to “re-key” cryptographic keys on the sensor network, such that old keys can be invalidated when a sensor, that stores previously-used keys, is removed from the sensor network. In particular, it is desirable to take steps to ensure that the old keys can no longer be used to decrypt data on the sensor network. However, it is also desirable not to reduce the availability of data on the sensor network due to the increased security requirements in a wireless sensor network in comparison to a wired sensor network. Methods and apparatus described herein aim to help achieve data availability in a wireless environment without compromising security.
Certain other wireless nodes 120A, 120B are wireless access points (WAPs). Each of the WAPs 120 comprises a wireless interface, comprising a transmitter and a receiver for wirelessly communicating data, and at least one processor and memory for storing data. The WAPs 120 are configured to wirelessly receive sensor data generated by the plurality of sensor nodes 110 which are located on the aircraft. The WAPs 120 may be arranged to transmit the data to an avionics systems of the aircraft. For example, if one or more of the sensor nodes 110 is located at the wheels of the aircraft, one of the WAPs 120 may be located in the landing gear bay and may be arranged to communicate data received from the sensor node(s) 110 at the wheels to the cockpit of the aircraft.
In the example shown in
The sensor network 100 of this example is a secure network. Each sensor node 110 and WAP 120 is arranged to communicate via a secure communications channel with at least one other node of the plurality of sensor nodes 110 and WAPs 120. In one example, the sensor network 100 is secured by one or more cryptographic keys, whereby each of the secure communications channels is secured using at least one of the one or more cryptographic keys. References to “securing” data herein comprise performing one or more cryptographic operations on the data using a cryptographic key and algorithm including, but not limited to, one or more of: encrypting, authenticating, signing or hashing data.
According to an example, the sensor network 100 uses one cryptographic master key to secure communications across the sensor network for the whole aircraft. The cryptographic master key prevents an attacker from intercepting and reading data that is transmitted on the sensor network 100. Moreover, each sensor node 110 may store one or more other cryptographic key, which is or are used to protect the integrity of the sensor data that is received at the sensor nodes 110. In some examples, one or more additional cryptographic keys may be used for further cryptographic operations. For example, in one case, sensor nodes 110 securely communicate with WAPs 120 using session keys derived from the master key.
In certain examples, the sensor nodes 110 and WAPs 120 are arranged to carry out further input/output validation. For example, the sensor nodes 110 and WAPs 120 may be arranged to validate data by checking that data fields of incoming and outgoing data packets are of the expected length and/or that parameters, such as tyre pressure, are within expected or reasonable ranges for an aircraft.
According to an example, each of the sensor nodes 110 and WAPs 120 comprise at least a first and a second memory for storing at least a first and a second cryptographic key, respectively, in such a way that the keys are isolated from one another. In this example, obtaining a cryptographic key from the first memory does not provide access to a cryptographic key stored in the second memory, and so data that is secured by the second key is not compromised. In certain cases, the sensor nodes 110 and WAPs 120 may also comprise first and second processors that are isolated from one another. In a further example, the sensor nodes 110 and WAPs 120 may comprise “cold memory” which can be read from and written to in a powered-down state as well as when the node is powered up. For example, the cryptographic keys stored in the cold memory can be replaced when the node is in a powered down state. Thus keys can be replaced even in the event of a power failure.
Secure use of multiple cryptographic keys in a system requires a method of key management to mitigate risk. In particular, frequent re-keying and deletion of obsolete keys can help protect the system, if a component of the system becomes compromised by an attacker. Certain methods and systems described herein may be used to securely update or re-key one or more cryptographic keys. Cryptographic keys are, for example, re-keyed in response to changes in the sensor network 100. For example, a sensor node 110 may become defunct and require replacement. In such circumstances, it is desirable to be able to re-key any shared keys on the sensor network 100 to secure the sensor network 100 against an adversary that obtains the old sensor node and retrieves the previously used cryptographic keys from it. In particular, re-keying cryptographic keys invalidates previously used cryptographic keys on the sensor network 100. In another example, when a new sensor node 110 is installed on the aircraft it may be necessary to provide new keys and replace the existing keys with the new keys.
Some or all of the sensor nodes 110 and WAPs 120 are arranged to perform operations in response to control messages. The control messages may be received from remote computing devices that are external to the sensor network 100, or from other nodes of the sensor network 100. A wireless node 110, 120 may receive a control message, e.g. from a remote computing device, and perform one or more actions by communicating (via the secure communications channel) with at least one other wireless node of the plurality of sensor nodes 110 and WAPs 120. The at least one other wireless node is arranged to perform an operation on the basis of the control message. This operation may comprise communicating with further nodes in the sensor network 100. In another example, the at least one wireless node may perform an operation in relation to one or more cryptographic keys stored on the wireless node, or data stored on the wireless node on the basis of the control message. An operation comprising replacing a cryptographic key with a replacement cryptographic key may be performed. This operation is performed securely and may help to ensure that no attacker can compromise the sensor network 100. Further examples are described herein which allow an operator to communicate with a wireless node of the sensor network to initiate network operations. In particular, an operator can control a computing device to send a control message to a first wireless node to cause operations by many or all of the sensor nodes 110 and WAPs 120 of the sensor network 100.
In examples described herein, the computing device 210 may be a handheld computing device, such as a tablet computer, a smart phone, or a PDA. According to a first example, the computing device 210 comprises a wireless interface for communicating with the sensor node 110. According to a second example, a dongle may be coupled to the computing device 210 to provide the computing device with a wireless interface. In both cases, the computing device 210 can wirelessly transmit and receive data over a communications channel from the sensor node 110 via the wireless interface. According to an example, the communications channel is a different communications channel from the secure communications channels used in the sensor network 100 between the sensor nodes 110 and WAPs 120. In particular, the communications channel between the computing device and the sensor network may operate on a radio frequency distinct from secure communications channels that are used for communications between the sensor nodes 110 and WAPs 120 in the sensor network 100. The communications channel between the computing device 210 and sensor node 110A may be a short-range communications channel, such as a Bluetooth channel or Near-Field Communication (NFC) channel. According to examples described herein a “short-range” communications channel may be a channel that allows communication between a transmitter and receiver within physical proximity that is not accessible to attackers. How short the range is may be determined by the context of the operation of the sensor network. In particular, the range may have an upper limit determined to be within the range in which authorised personnel typically need to be to perform their duties. For instance, in cases involving large commercial aircraft that are typically serviced in hangars, which are secured from unauthorised personnel, the range may be less than 20 metres, less than 10 metres, less than five metres or even less than two metres or one metre. The range may be determined by the size of the aircraft and/or the size of the secured hangars or other secured areas within which the aircraft are expected to be maintained. In other cases, for instance relating to smaller aircraft, the range may be commensurately less than it is for large commercial aircraft, such as less than one metre, less than 50 cm or less than 10 cm. In some cases, range may be minimal, or even approaching touching distance, for example if there are insufficient barriers to prevent unauthorised personnel from approaching the vehicle. Alternatively, or in addition, range may be determined by physical constraints on accessing respective devices. For example, the range may need a lower limit in addition to an upper limit. The lower limit may be one metre, or two or five meters, if sensor nodes are out of the normal reach of an authorised person. In general, communications range upper and/or lower limits may be adjusted as needed according to operating context by adjusting communications power, communications protocol and/or RF shielding associated with the various devices and communications channels.
The computing device 210 may be operated by authorised ground crew personnel during, for example, maintenance of the aircraft. Authorised ground crew personnel can use the computing device 210 to interact with the sensor network 100 when the aircraft is stationed on the ground by bringing the computing device 210 in proximity of the sensor node 110A. According to examples described herein a short-range communications channel between the computing device 210 and the sensor node 110A is used to ensure only those persons authorised to be within the immediate vicinity of the aircraft can communicate with the sensor network 100 using the computing device 210. In particular, when a short-range communications channel is used, a person who tried to access the sensor network 100 remotely using an unauthorised device would not be able to communicate with the sensor network 100 over the short-range communications channel. In certain examples, the computing device 210 is also configured to communicate with the sensor network 100 via the secure communications channels used between the sensor nodes 110 and WAPs 120 in the sensor network 100. In particular, if the computing device 210 has access to the appropriate cryptographic keys to communicate with the sensor nodes 110 and WAPs 120, the computing device 210 may also be able to send and receive messages over those secure communications channels. The computing device 210 and sensor node 110A may implement one or more protocol stacks to communicate over different communications channels. According to an example, segregation between a wireless protocol stack that is used to communicate over the secure communications channel and a short-range communications protocol stack may be used to increase security in the computing device 210 and sensor node 110A. In particular, cryptographic keys used to secure communication in the wireless stack can be prevented from being exposed to the short-range communications protocol stack. This may be achieved by, for example, having physically separated memory and processors to implement the different protocols.
The computing device 210 is arranged to generate instructions and communicate control messages via its wireless interface to the sensor node 110A. For example, the computing device 210 may communicate a “REQUEST_DATA” control message to the sensor node 110A to cause the sensor node 110A to perform one or more actions in relation to data stored on the sensor network 100. In another example, the computing device 210 is arranged to communicate to the sensor node 110A a control message relating to security of the sensor network 100, such as “REKEY” that causes the sensor node 110A to initiate a re-keying of a cryptographic key that is in use in the sensor network 100.
The sensor node 110A is configured for the receipt of one or more control messages from the computing device 210 and to perform actions based on the control message(s). In particular, the sensor node 110A comprises a processor to process control messages and interpret instructions contained therein. Actions executed by the sensor node 110A may comprise communicating further messages, via secure communications channels, to others of the plurality of sensor nodes 110 and WAPs 120 of the sensor network 100, to cause the sensor nodes 110 and WAPs 120 to perform operations based on the control message.
There will now be described an example of a system which may be used in conjunction with the other apparatus and methods described herein to control a sensor network.
In
The computing device 210 is further arranged to transmit a control message to the first sensor node 110A, to cause the sensor network to perform one or more operations to install the new or replacement sensor node 110A. In response, the first sensor node 110A communicates, using one or more cryptographic keys received from the computing device from the second sensor node 110B, via a secure communications channel 430 with the WAP 120A. The secure communications channel 430 is used to establish new cryptographic keys on the first sensor node 110A, for example by performing a key exchange, using a key exchange algorithm, with the WAP 120A. Furthermore the WAP 120A can perform further operations, such as distribution of cryptographic keys from the sensor node 110A, to the other of the plurality of sensor nodes in communication with the WAP 120A.
At block 510 a control message is communicated to a first wireless node of the sensor network. The first wireless node may be any of the sensor nodes 110, or WAPs 120, shown in the preceding Figures. According to a first example, the control message is generated at a computing device external to the sensor network, such as the computing device 210 shown in
In an example, the control message is generated by an operator initiating the generation of the control message at the computing device. The computing device may comprise a graphical user interface (GUI) that allows the operator to initiate various actions. For example, in the case of a data request, the computing device transmits a “REQUEST_DATA” message, via the communications channel between the computing device and the first wireless node, to the first wireless node. In a second example, the computing device communicates a control message to re-key a cryptographic key. In this case, the control messages comprise a “REKEY” command and an identifier of the cryptographic key. An identifier may comprise an identifier of the key and also an identifier of the wireless node or nodes in communication with the first wireless node that stores the key. Further additional messages may be communicated to the first wireless node by the computing device.
At block 520 the first wireless node communicates, via a secure communications channel, with at least one other wireless node of the plurality of nodes of the sensor network. In one example, communication with the at least one other wireless node comprises sending one or more messages via the secure communications channel. In one example, the one or more message(s) sent over the secure communications channel may comprise instructions to execute operations on the at least one other node. For example, the message(s) may comprise cryptographic keys and/or instructions to replace cryptographic keys with keys sent in the messages.
At block 530 the at least one other wireless node performs an operation on the basis of the control message. As described in examples herein, in one case the operation is an operation to secure the sensor network, such as an operation to re-key the aircraft. In another case, the operation may relate to obtaining data such as aircraft sensor data from other nodes in the plurality of wireless nodes in the sensor network.
According to an example, the step of communicating a control message to a first wireless node of the sensor network at step 510 may be preceded by a step of communicating one or more cryptographic keys to the first wireless node.
When the method 500 is implemented by the computing device 210 shown in
The control message may comprise an instruction to the sensor network to perform one or more operations in relation to the one or more cryptographic keys sent to the first wireless node. In particular, a control message sent from the computing device to the first wireless node causes the first wireless node to communicate, via a secure communications channel, with at least one other node of the sensor network. Communication between the first wireless node and the at least one other wireless node may comprise sending of the one or more cryptographic keys from the first wireless node to the at least one other wireless node and an acknowledgement from the at least one other wireless node to the first wireless node that a new cryptographic key has been received at the at least one other wireless node.
At block 610 one or more replacement cryptographic keys are communicated to the first wireless node. According to an example, the one or more replacement cryptographic keys is/are cryptographic keys used to secure one or more communications channels between wireless nodes of the sensor network and/or to secure data in the sensor network. In relation to the system 300 shown in
At block 620 a control message to replace at least one of the one or more cryptographic keys with at least one of the one or more replacement cryptographic keys is communicated to the first wireless node e.g. by a computing device such as computing device 210.
At block 630 the one or more replacement cryptographic keys are communicated to the at least one other wireless node via the secure communications channel from the first wireless node.
At block 640 a configuration operation to use the at least one of the one or more replacement cryptographic keys in place of the at least one of the one or more cryptographic keys is performed. This configuration operation may comprise performing one or more operations on data involving the new cryptographic keys. For example, a configuration operation may comprise decrypting or verifying data that is encrypted or signed with at least one of the old cryptographic keys and re-encrypting and/or re-authenticating the data with at least one of the new cryptographic keys.
Additionally or alternatively, in some examples, a configuration operation of forwarding the one or more replacement cryptographic keys from the at least one other node, to the other of the plurality of nodes in secure communication with the at least one other node, may be performed. For example, in the system 300 shown in
At step 710 a control message is communicated to the first wireless node. The control message comprises a request for data, “REQUEST_DATA”, and is received over a communications channel at a wireless interface of the first wireless node. As with method 600 shown in
At block 720 a request for data is communicated to at least one other node of the sensor network, via a secure communications channel between the first wireless node and the at least one other wireless node. When the method 700 is implemented on the system 300 shown in
At block 730 the at least one other wireless node performs an operation, to request data from one or more of the plurality of wireless nodes of the sensor network. In an implementation of the method shown in
At block 740 the at least one other node performs an operation comprising communicating data, via the secure communications channel, to the first wireless node. In an implementation of the method shown in
According to an example, the first wireless node is arranged to authenticate the data using a cryptographic key different from the cryptographic key used to secure the secure communications channel between the first wireless node and the at least one other wireless node. The cryptographic key used to perform the authentication may be stored in a separate memory and, in certain cases, handled using a different processor that are physically isolated from the memory and processor that are used to store and process the cryptographic key used to secure the secure communications channel. In this arrangement an attacker that attempts to compromise the security of the secure communications channel by e.g. attempting to obtain the cryptographic key securing the channel, cannot simultaneously compromise the authenticity of the data received at the first wireless node if they succeed in comprising the security of the secure communications channel, without mounting a separate attack on the key used to authenticate data.
At block 810 one or more cryptographic keys are retrieved from the second wireless node. In the context of implementing the method 800 on the system 400 shown in
At block 820, the one or more cryptographic keys are communicated to the first wireless node. In the example shown in
At block 830, the first wireless node establishes a secure communications channel between itself and the at least one other wireless node using at least one of the one or more cryptographic keys. With reference again to
Although the invention has been described above with reference to one or more preferred embodiments, it will be appreciated that various changes or modifications may be made without departing from the scope of the invention as defined in the appended claims.
Bill, Andrew, Warns, Timo, Bruggemann, Kurt
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
7231180, | Mar 24 2004 | Honeywell International, Inc.; Honeywell International, Inc | Aircraft engine sensor network using wireless sensor communication modules |
8107397, | Jun 05 2006 | Purdue Research Foundation | Protocol for secure and energy-efficient reprogramming of wireless multi-hop sensor networks |
8332133, | Dec 08 2009 | Airbus Operations (S.A.S.) | Method and device for processing a request message received in an aircraft, from ground control, via a data transmission system |
8346949, | Jan 22 2002 | MPH Technologies Oy | Method and system for sending a message through a secure connection |
8787904, | Mar 12 2013 | SMARTSKY NETWORKS LLC | Aircraft based wireless communication system |
9008868, | Oct 09 2013 | Satcom Direct, Inc. | Cloud based management of aircraft avionics |
9043938, | Aug 31 2012 | Rockwell Collins, Inc.; Rockwell Collins, Inc | Secured wireless access system and related method |
9509679, | Nov 21 2014 | DROPBOX, INC | System and method for non-replayable communication sessions |
9947009, | Aug 06 2013 | Erik, Sandberg-Diment | Method and system for graphic and sonic encryption for securing data and electronic devices |
20040073571, | |||
20040127277, | |||
20050228996, | |||
20050262575, | |||
20060252422, | |||
20090063852, | |||
20090167535, | |||
20090243895, | |||
20100096452, | |||
20100164693, | |||
20100290622, | |||
20110211699, | |||
20110299470, | |||
20110302635, | |||
20120324218, | |||
20130005445, | |||
20130268759, | |||
20140028818, | |||
20140376721, | |||
20150030158, | |||
20150071139, | |||
20150203216, | |||
20150363981, | |||
20160099922, | |||
20160285844, | |||
20160294829, | |||
20160334786, | |||
20170201937, | |||
20170308895, | |||
20190007408, | |||
CN103442359, | |||
EP1803249, | |||
EP1876759, | |||
EP1993301, | |||
EP2031538, | |||
EP2706423, | |||
WO2007041824, | |||
WO2013121076, | |||
WO2008122906, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
May 26 2017 | Airbus Operations Limited | (assignment on the face of the patent) | / | |||
May 26 2017 | Airbus Opertions GmbH | (assignment on the face of the patent) | / | |||
May 31 2017 | BILL, ANDREW | Airbus Operations Limited | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 048149 | /0310 | |
May 31 2017 | BRUGGEMANN, KURT | Airbus Operations Limited | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 048149 | /0310 | |
Jun 26 2017 | WARNS, TIMO | Airbus Operations GmbH | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 048149 | /0455 |
Date | Maintenance Fee Events |
Jul 29 2024 | REM: Maintenance Fee Reminder Mailed. |
Date | Maintenance Schedule |
Dec 08 2023 | 4 years fee payment window open |
Jun 08 2024 | 6 months grace period start (w surcharge) |
Dec 08 2024 | patent expiry (for year 4) |
Dec 08 2026 | 2 years to revive unintentionally abandoned end. (for year 4) |
Dec 08 2027 | 8 years fee payment window open |
Jun 08 2028 | 6 months grace period start (w surcharge) |
Dec 08 2028 | patent expiry (for year 8) |
Dec 08 2030 | 2 years to revive unintentionally abandoned end. (for year 8) |
Dec 08 2031 | 12 years fee payment window open |
Jun 08 2032 | 6 months grace period start (w surcharge) |
Dec 08 2032 | patent expiry (for year 12) |
Dec 08 2034 | 2 years to revive unintentionally abandoned end. (for year 12) |